Dealing with endpoint data protection issues

by

Perhaps one of the least-expected IT revolutions is the decentralization of data among endpoint devices. After decades of IT delivering consolidated infrastructure platforms (servers), data is becoming increasingly distributed as end users demand increasing flexibility in the devices that they use in their workplace. “Endpoint” should not be confused with “BYOD,” as today’s endpoint devices include not only bring your own device (self-purchased) units, but also a myriad of corporately issued devices, each of which has its own data protection issues.

Challenges with legacy endpoint mechanisms

Historically, some IT organizations attempted to treat the “B” in BYOD as “buy” your own device, implying choice, but then the device was heavily managed like corporately issued devices. But why would an individual purchase a device with their own money, just so that IT can then put agents and other management tools on it? (They wouldn’t.) Today, regardless of who purchased the device and whether the device is used solely for work or for supporting work and personal life, these devices hold corporate data and should therefore be protected, period.

The challenge is that traditional endpoint protection mechanisms often use architectures that aren’t that different from the server-centric mechanisms that have been in use in the data center. Those legacy approaches often require traditional software-distribution vehicles, heavy authentication/network methods, etc. — none of which are conducive to the modern and relatively disconnected devices of today. Other legacy approaches try to force the users to behave differently than they intuitively would or follow other IT (not customer-centric) directives:

  • If you put your data in this directory, we will protect it. Otherwise we won’t.”
  • Bring your new BYOD to the IT department and we will return it next week, with new stuff on it.”
  • Bring your new BYOD to work, configure a VPN, log on with your corporate credentials, and run this script.

None of these have proven effective because, while companies have focused on the “B” of “Bring/Buy,” some IT organizations have lost sight of the “YO” for “your own” device. Any product that attempts to change user behavior for how the personally owned device was intended to be operated (as a loosely connected, Internet-centric, consumer experience) will almost assuredly fail.

You must protect the data — but maybe not the device

If the data is corporate data, it is the IT department’s responsibility toprotect the data. That being said, not all devices require protection, as there is a difference between “consumption” and “creation” devices. Here’s a look at the data protection issues involved with each type of device.

Consumption devices utilize data that exists in other locations, often on server/service platforms that are more easily backed up by IT professionals. An extreme example would be an e-reader, whose book and music library exists in a cloud service. Because there is no unique data on that device, there arguably isn’t the need to back it up — only secure it from unauthorized access or data/device loss. A less extreme example is a consumer tablet. Data on these devices consists of:

  • Email — which exists not only on the device, but also on the email server/service.
  • Files — which are often replicated using an online file sharing/synchronization (OFS) service, such as Dropbox, while a copy more capable of being backed up likely resides on a desktop or other corporate-managed platform.
  • Multimedia — which is accessed from a central repository.

Arguably, the only data that may not be natively stored elsewhere is the configuration of the user experience and optional applications (e.g., games/apps) — and some tablet OS manufacturers provide native backup tools for those configuration elements, as well. The result is that if a consumption device is broken, lost or compromised, one can:

  • Purchase a new/similar device, perhaps newer than the original.
  • Receive the UI experience/configuration from the OS vendor’s cloud storage, if possible.
  • Reconfigure the email, file and multimedia client applications, which are sometimes retained in the configuration above.
  • Resynchronize data to the new device.

Note the word “resynchronize” rather than “restore.” For a consumer, that may be adequate — but not for a corporate employee, because resynchronizing only addresses the most recent/current version of the data; it isn’t a backup. If the data has errors or deletions, those human-caused issues will replicate to the other server/service instances. Backups ensure usability by providing access to previous versions of the data and are therefore still required, even with synchronization technologies. With a consumption device, the other copy or copies of the data on a corporate server, in the cloud, or on another device are more easily protected by the IT team.

Creation devices, on the other hand, have the ability and user-friendly form factor to create unique data that may not exist on any other server/service. As such, they should be backed up with the same tenacity with which any other corporate IT asset should be protected, while recognizing that many of the same OS-centric and file-synchronization protection mechanisms will likely exist on those platforms, as well. Therefore, IT should focus on ensuring the addition of corporate-backup assurance of the corporate data, not on trying to make the endpoint device conform to legacy procedures.

How to protect endpoint data successfully

There are two equally important mandates to ensure successful endpoint data backup, not including the security-related best practices of device encryption, remote wipe, etc.:

  • Lightweight delivery — The data protection application must be lightweight (i.e., consumer app-like) and not force changes in the users’ behavior. Burdensome installation/configuration or procedural changes that are counterintuitive will ensure that the data is not protected well enough.
  • Highly-visible management — IT has to have the visibility to ensure that backups are happening and that access is part of the recovery solution instead of being part of the backup problem. It is this second requirement that defines the difference between consumer endpoint offerings and corporate/enterprise-credible products.

The right combination of these two mandates will enable IT to ensure corporate compliance for data protection with the same retention mandates as corporate servers, while users are unimpeded by the backup. This brings up one last consideration: understanding the privacy considerations of backing up data that is mixed with both corporate data and private data.

Users leveraging a consumer product to back up their corporate-plus-private data will have the only backup copies — which means that when the user leaves, their BYOD and the backups will leave the company with them. This undesirable scenario leaves the former employee with corporate data and the former employer with nothing.

If IT uses a product that backs up corporate data and private data, it could result in the company having access to private data that IT shouldn’t have. For example, if an employee volunteers with a youth organization, the company should not have access to private information about the kids. But an inflexible, all-encompassing backup product will capture all data on the machine, resulting in privacy challenges and corporate liability.

Thus, a third key to success is flexibility of protection selection, so that both the employer and the employee have the data that they need — without any data that they shouldn’t.

 [Originally posted on TechTarget as a recurring columnist]

Leave a Reply